Access Control Lists (ACLs) VS Query Business Rules (QBR)

There is no right answer

This is an issue as old as the “HI security plugin”. Before that, I’m not sure how ServiceNow secured their tables as it was before my time.

I’ve been asked in the past to remove the message “n records removed by security…” and it can be done, but shouldn’t.

Here’s my take on it.

Access Control Lists (aka ACLs) are there for two reasons;

  • maintainability
  • second is field level control

You could replace every tables Access Control Lists with Query Business Rules. That is not the normal place security is generally configured.

Here’s some very insightful quotes from people I respect on the topic and links to the resources;

gflewis asked in 2011

What are the pros and cons of using an Access Control verses a Before Query Business Rule to block certain users from reading certain records? As far as I can tell, the functionality appears to be identical.

CapaJC responded in 2011

Before query is highly preferable if you can use one. It makes the database do the work by modify the query itself. With Contextual Security, your instance has to decide per record what a user can see after fetching them from the database.

With a before query rule, unavailable records are simply not there as far as the user is concerned. With Contextual Security they might get a list of 4 visible records, and the list might say 1 to 100 of 546 with a message at the bottom saying “96 records removed due to security constraints”.1

More recently Tim W. wrote in 2018

ACLs Vs Query Business Rules: ACLs, but also sometimes query business rules; but usually for performance reasons more than security.2

Further Reading;

Edit this page

Avatar
Jace Benson
ServiceNow Developer

ServiceNow is my day job, JAMStack is my passion.